Sunday, January 22, 2012

After a successful 2-day quest to wrap my mind around the complexities of this DD-WRT configuration, I wanted to document my experience to hopefully save someone time in a similar situation in the future.

Background and Goal:

I'm about to move into a small office where two companies will be sharing a network environment. Our goal was to set up one router that controlled internet in/out of the office and also create two distinct, firewalled LANs, one for each company's employees. We also wanted each of the LANs to have a corresponding secured wireless network (WLAN) plus a guest network that was completely isolated from the other two.

The hardware:

I happend to have an unused Linksys (Cisco) WRT310N v1 router in my house and decided to put it to use for this job. I've installed DD-WRT on several different routers in the past, but hadn't had the occasion to configure VLANs, so this was new (and quite difficult at first) to understand.

DD-WRT Router Architecture- This article is key in understanding which ports are which on your router, which you'll have to know before you begin configuration.

Note that if you have a Gigabit router, focus on the port/vlan names in bold throughout this article. On my WRT310N, the key names/devices to know were:

Port 0: Physical WAN port

Ports 1-4: These map directly to the physical port numbers on the WRT310N. In other cases, Port 1 internally might map to the physical Port 4 on the router. You'll need to do a bit of experimenting to determine which is the case with your router. A good way to determine this is to follow the steps in "Disable LAN ports" on the Switched Ports tutorial. Disable port 1 or port 4 as explained there and take note of whether it maps to the corresponding physical port # or if it is reversed.

vlan1: vlan associated with the physical network ports 1-4

vlan2: vlan associated with the WAN socket

Port 8: Internal port connecting to the internal router (this can be confusing) - what it is important to know is that this port is required to be included in any VLAN that you wish to allow to be routed outside of that specific VLAN. (in almost every scenario you'll be including Port 8 so that the port can be routed

Subnets used in the examples below:

My main subnet (vlan2) is 192.168.20.1

My secondary subnet (vlan11) is 192.168.21.1

DD-WRT Switched Ports- this shows you how you can find the initial configuration of your router as it pertains to the VLANs.

Below is the output from my router using the commands explained on this page:

#ASSIGNS NEW VLAN11 WITH PORTS 3 & 4 FROM THE ROUTERroot@DD-WRT:~# nvram set vlan11ports="3 4 8"

#SETS HWNAME OF VLAN11root@DD-WRT:~# nvram set vlan11hwname=et0

#DEFINES CHECK BOXES FOR GUI FOR PORT 11root@DD-WRT:~# nvram set port4vlans="11 18 19"#DEFINES CHECK BOXES FOR GUI FOR PORT 11root@DD-WRT:~# nvram set port3vlans="11 18 19"#ASSIGNS VLAN 11 TO THE CPU PORT OF THE ROUTER (NORMALLY 8 IN GB ROUTER, EXCEPT IN THIS AREA OF THE CONFIG)

The directions immediately below roughly follow this tutorial (VLAN_Detached_Networks), but those steps did not work for me exactly as written, so my version is below. The linked article is very helpful, so definitely read it as well to help guide you through the process.

At this point, we've defined the two separate VLANs tied to the physical ports. Next, we have to assign the IP range for the new subnet, and follow steps to create a DHCP IP address pool for each subnet so that any computers connected to the ports receive an IP address in the correct subnet.

This can be done from Setup -> Networking.

Configure the newly created vlan11 to be unbridged. Provide a new IP address for the vlan11 subnet with a 255.255.255.0 subnet mask. This configuration does not appear to work entirely by itself in my router, so I had to enter it into the DDWRT startup script as well.

"Save" and "Apply" your settings, and at this point you can test by plugging your computer into ports 1 / 2 / 3 / 4 and confirm that you have been assigned an IP address from the right pool.

Lastly, you must isolate the networks you have created from each other. You do so by entering the following firewall rules in Administration -> Commands -> Firewall. Credit for most of these rules goes to ChristopherKois as those in the DD-WRT wiki did not work for me (thank you!)

Once in place, you can test your configuration to see if you can ping computers plugged into vlan11 when on vlan2 and vice-versa. (You should not be able to)

The last steps I followed after this were to create virtual wireless interfaces that correspond to each of the VLANs so that both companies in the office have a functional wireless network that bridges to their wired VLAN. This was relatively simple compared to the previous process. I might cover this in a future post, but if you've made it this far, you can likely follow this guide (Multiple WLANs) on your own to complete the process.

I am curious about the use of VLANs to sort out an issue that I have. I have the E2000 Linksys/Cisco router. On my network, besides my wireless clients, I have wired in, a Netgear ReadyNAS nv+. I notice that when I am downloading NZB files, it brings all of the rest of the network to a crawl. Would implementing a VLANs reduce the problems that I am having. For instance, if I am looking at a movie under XBMC with the shares located on the ReadyNAS nv+, and movie files start downloading (again on the ReadyNAS), would a VLAN allow for no need for buffering while the NZB files are coming down?

Informative article. A virtual private network, or just VPN, helps encrypt and secure your router against data theft, misuse and only fraud. A single DDWRT router VPN can protect internet traffic for all of the networked computers, thus saving you an enormous cost for internet security and privacy. Furthermore, Purevpn will also redress individual IPs of each computer or device on the network, therefore helping you secure identities of computer on the World Wide Web.http://www.bestvpnservice.com/providers/30/purevpn.html